b'                                Report No. 06-INTEL-03\n                                       February 28, 2006\n\n\n\n\n      DEPARTMENT OF DEFENSE\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\nDEPUTY INSPECTOR GENERAL FOR INTELLIGENCE\n\n Inspection Guidelines for DoD Research and\n    Technology Protection, Security, and\n         Counterintelligence for 2006\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, contact Mr. Donald A. Ragley at (703)\n604-8896 (DSN 664-8896) or fax (703) 604-0045.\n\nSuggestions for Future Evaluations\n\nTo suggest ideas for or to request future evaluations of Defense intelligence issues,\ncontact the Office of the Deputy Inspector General for Intelligence at (703)\n604-8896 (DSN 664-8896) or fax (703) 604-0045. Ideas and requests can also be\nmailed to:\n\n              Office of the Deputy Inspector General for Intelligence\n               Department of Defense Office of Inspector General\n                        400 Army Navy Drive (Room 703)\n                            Arlington, VA 22202-4704\n\x0c\x0c               Department of Defense Office of Inspector General\nReport No. 06-INTEL-03                                                February 28, 2006\n (Project No. D2006-DINT01-0031)\n\n         Inspection Guidelines for DoD Research and Technology\n           Protection, Security and Counterintelligence for 2006\n\n                                   Executive Summary\n\nWho Should Read This Report and Why? DoD civilian and military personnel who\nare responsible for, supervise any aspect of, or provide oversight for the protection of\nresearch and technology information in DoD research, development, test and evaluation\nfacilities should read this report. This report publishes the guidelines for inspecting\nresearch and technology protection, security, and counterintelligence practices at DoD\nresearch, development, test, and evaluation facilities to enhance Department-wide\nconsistency in the oversight process.\n\nBackground. These guidelines satisfy the requirement in the Deputy Secretary of\nDefense memorandum for Inspection of Security and Counterintelligence Practices at\nLaboratories and Centers, February 17, 2000. On May 8, 2002, the DoD Inspector\nGeneral; the Deputy Under Secretary of Defense for Laboratories and Basic Sciences; the\nDirector, Operational Test and Evaluation; the Service Inspectors General; and the\nDirector, Program Integration, Internal Management Review (formerly Internal\nAssessments), Missile Defense Agency signed a memorandum of understanding on\nsecurity, technology protection, and counterintelligence inspections.\n\nThe memorandum of understanding requires participating Inspectors General and the\nDirector, Program Integration, Internal Management Review, Missile Defense Agency to\ninspect research, development, test, and evaluation facilities as part of their normal\ninspection cycle, and prepare and forward significant findings and recommendations to\nthe DoD Office of Inspector General at the end of each inspection. The DoD Office of\nInspector General issues the summary report of inspections of security, technology\nprotection, and counterintelligence practices at DoD research, development, test, and\nevaluation facilities.\n\nResults. This report updates the Security, Research and Technology Protection, and\nCounterintelligence Inspection Guidelines, Report No. 03-INTEL-09, May 6, 2003.\n\nManagement Comments. No written response to this report was required.\n\x0cTable of Contents\nExecutive Summary                          i\n\nBackground                                1\n\nObjectives                                1\n\nAreas for Inspections\n     Security                              2\n     Research and Technology Protection   10\n     Counterintelligence                  13\n     International Security               14\n\nAppendixes\n     A. Scope and Methodology             17\n     B. References                        18\n     C. Report Distribution               21\n\x0cBackground\n    In early 1999, the Deputy Secretary of Defense directed the Service Inspectors\n    General to survey the counterintelligence and security programs at more\n    than 60 research, development, test and evaluation facilities. The inspection\n    teams identified a number of recommendations related to the specific sites. As a\n    result of these efforts, the Deputy Secretary chartered an Overarching Integrated\n    Process Team to better frame the recommendations and to oversee their\n    implementation. From February 12 to May 12, 2000, the Deputy Secretary signed\n    seven memoranda containing 27 tasks aimed at enhancing counterintelligence and\n    security support to research, development, test and evaluation facilities and the\n    acquisition process.\n\n    On February 17, 2000, the Deputy Secretary signed a memorandum requesting\n    that the DoD Office of Inspector General develop a uniform system of periodic\n    reviews, through the existing agency and Service inspection processes, for\n    compliance with DoD Directives concerning research and technology protection,\n    security, and counterintelligence practices. Those reviews were to assist in\n    protecting the technology-dependent, cutting edge of U.S. weapon systems. The\n    memorandum also requested that the DoD Office of Inspector General develop\n    inspection list guidelines for DoD Inspectors General to enhance consistency.\n    On May 8, 2002, the DoD Inspector General; the Deputy Under Secretary of\n    Defense for Laboratories and Basic Sciences; the Director, Operational Test and\n    Evaluation; the Service Inspectors General; and the Director, Program Integration,\n    Internal Management Review (formerly Internal Assessments), Missile Defense\n    Agency signed a memorandum of understanding on research and technology\n    protection, security, and counterintelligence inspections.\n\n    The memorandum of understanding requires participating Inspectors General to\n    prepare and forward any significant findings and recommendations to the DoD\n    Office of Inspector General at the end of each inspection. It also requires the\n    DoD Office of Inspector General to issue a summary report of inspections of\n    research and technology protection, security, and counterintelligence practices at\n    DoD research, development, test, and evaluation facilities.\n\nObjectives\n    The overall objective was to update the guidelines that comprise DoD policy and\n    to improve DoD-wide consistency in inspections of research, development, test,\n    and evaluation facilities. See Appendix A for a discussion of the scope and\n    methodology.\n\n\n\n\n                                         1\n\x0c               Areas for Inspections\n               We updated the guidelines on DoD policy to include ways to better assess\n               how DoD implements policy for research and technology protection,\n               security, and counterintelligence. These guidelines focus on key areas of\n               the requirement in the Deputy Secretary of Defense February 17, 2000,\n               memorandum, to \xe2\x80\x9cdevelop inspection list guidelines for Department-wide\n               Inspectors General to enhance consistency across DoD.\xe2\x80\x9d Specifically, the\n               inspection areas are research and technology protection, security,\n               counterintelligence, and international security.\n\nSecurity\n\n     General Security\n\n     Have security managers or other key security staff, or both, received specialized\n     training to support Research, Development, Test and Evaluation facilities?\n\n     Is the security budget adequate to meet all requirements? If not, what are the\n     effects?\n\n     Is the security staff adequate in size, rank/grade, and position within the\n     organization?\n\n     Physical Security\n\n     Is there a designated point of contact to oversee the physical security program in\n     accordance with, DoD Regulation 5200.8, Chapter 2, Section C2.2?\n\n     Are policies and procedures for physical security standards in place (e.g., vault\n     and secure room construction standards, intrusion detection system standards,\n     access controls and lock replacement), in accordance with DoD\n     Regulation 5200.1, Appendix 7?\n\n     Are physical security planning procedures for acquisition of major systems\n     appropriate and in accordance with DoD Regulation 5200.8, Chapter 2,\n     Sections C2.5. and C2.6.; and Figure C2.F2?\n\n     Do procedures and policies in place restrict access to installations and facilities, in\n     accordance with DoD Regulation 5200.8, Chapter 3, Sections C3.1. and C3.2.\n     Specifically, do they:\n\n           \xe2\x80\xa2   Use a security-in-depth concept to provide graduated levels of protection\n               from the installation perimeter to critical assets?\n\n           \xe2\x80\xa2   Determine the degree of control required over personnel and equipment\n               entering or leaving the installation?\n\n\n\n\n                                            2\n\x0c   \xe2\x80\xa2   Prescribe procedures for inspecting persons, property, and vehicles at\n       entry and exit points of installations, at designated secure areas within an\n       installation, and for searching persons and their possessions while they are\n       on the installation?\n\n   \xe2\x80\xa2   Enforce the removal of, or deny access to, persons who are a threat to the\n       order, security, and discipline of the installation?\n\n   \xe2\x80\xa2   Designate restricted areas to safeguard property or material?\n\n   \xe2\x80\xa2   Use random antiterrorism measures within existing security operations to\n       reduce patterns, change schedules, and visibly enhance the security profile\n       to reduce the effectiveness of preoperational surveillance by hostile\n       elements?\n\nDoes the security system provide the capability to detect, assess, communicate,\ndelay, and respond to an unauthorized attempt at entry, in accordance with DoD\nRegulation 5200.8, Chapter 2, Section C2.3.2.?\n\nIs there a matrix of physical security threats to use as a guide to develop program,\nsystem, command, and installation threat statements that assess potential security\nthreats to critical assets, in accordance with DoD Regulation 5200.8, Chapter 2,\nSection C2.4. and Figures C2.F.1. and C2.F2?\n\nAre plans to increase vigilance and restrict access in place at installations and\nfacilities under the following situations, in accordance with\nDoD Regulation 5200.8, Chapter 3, Section C3.4.?:\n\n   \xe2\x80\xa2   National emergencies?\n\n   \xe2\x80\xa2   Disasters?\n\n   \xe2\x80\xa2   Terrorist threat conditions (See DoD Directive 2000.12 for further\n       information)?\n\n   \xe2\x80\xa2   Significant criminal activity?\n\n   \xe2\x80\xa2   Civil disturbances?\n\n   \xe2\x80\xa2   Other contingencies that would seriously affect the ability of installation\n       personnel to perform their mission?\n\nPersonnel Security\n\nHas the organization designated a representative to direct and administer the\nPersonnel Security Program (DoD Directive 5200.2, Section 4.3)?\n\n\n\n\n                                        3\n\x0cAre personnel security investigations limited to those essential to current\noperations and authorized by DoD policies, in accordance with\nDoD Regulation 5200.2, Chapter 3, Sections C3.1. and C3.2.; and Appendix 3,\nTables 1-5?\n\nAre personnel assigned to proper billets (e.g., special access program, Top\nSecret/Sensitive Compartmented Information)?\n\nHas the organization designated sensitive positions that require a personnel\nsecurity investigation in accordance with DoD Regulation 5200.2, Chapter 3,\nSections C3.1. and C3.2.; and Appendix 3, Tables 1-5? Was the designating\nofficial authorized to perform this function, in accordance with DoD\nRegulation 5200.2, Appendix 5?\n\nIs the process for issuing Top Secret clearances standardized and controlled, in\naccordance with DoD Regulation 5200.2, Chapter 3, Section C3.1.5.?\n\nAre periodic reinvestigations submitted in a timely manner, in accordance with\nDoD Regulation 5200.2, Section C3.7.?\n\nAre policies and procedures in place for processing security clearances for\nmilitary, DoD civilian, and contractor personnel who are employed by or are\nserving in a consulting capacity to DoD and who require access to classified\ninformation as part of their official duties, in accordance with\nDoD Regulation 5200.2, Chapters 2, 3, and 9; and Appendixes 3, 4, and 8?\n\nAre Limited Access Authorization(s) granted to non-U.S. citizens under\ncompelling circumstances or to further the DoD mission, in accordance with\nDoD Regulation 5200.2, Sections C2.1.1. and C3.4.3.; and Appendixes 5 and 6?\n\nInformation Security\n\nHas the organization committed the necessary resources for the effective\nimplementation of the DoD Information Security Program, in accordance with\nDoD Regulation 5200.1, Chapter 1, Section C1.2.2.2.?\n\nHas the organization designated a security manager and provided that person with\nthe requisite training to provide proper management and oversight of the\norganization\xe2\x80\x99s Information Security Program, especially those elements which\ncreate, handle, or store classified information, in accordance with\nDoD Regulation 5200.1, Chapter 1, Section C1.2.2.3. and Chapter 9?\n\nIs all classified information (hard-copy documents and automated information\nsystems media) clearly labeled, designated, or marked, in accordance with\nDoD Regulation 5200.1, Chapter 5 and DoD Pamphlet 5200.1?\n\nAre policies and procedures in place for transmitting and transporting classified\ninformation or material approved for release within DoD or to foreign\ngovernments, in accordance with DoD Regulation 5200.1, Chapter 7 and\nAppendix 8?\n\n\n\n                                     4\n\x0cAre procedures in place for reporting compromises of classified information or\nincidents that may put classified information at risk of compromise, in accordance\nwith DoD Regulation 5200.1, Chapter 10?\n\n   \xe2\x80\xa2   If a compromise of a foreign government\xe2\x80\x99s classified information\n       occurred, were reports submitted to the Director, International Security\n       Programs, Office of the Under Secretary of Defense (Policy), in\n       accordance with DoD Regulation 5200.1, Chapter 10, Section C10.1.2.8.?\n\n   \xe2\x80\xa2   Has classified information for DoD special access programs been\n       compromised, and, if so, were reports submitted to the Director, Special\n       Access Programs, Office of the Under Secretary of Defense (Policy), in\n       accordance with DoD Regulation 5200.1, Chapter 10, Section C10.1.2.9.?\n\n   \xe2\x80\xa2   Have computer systems, terminals, or equipment been compromised, and,\n       if so, were reports submitted through appropriate channels to the Director,\n       Information Assurance, Office of the Deputy Assistant Secretary of\n       Defense (Security and Information Operations), in accordance with\n       DoD Regulation 5200.1, Chapter 10, Section C10.1.2.7.?\n\nHas the security manager established and maintained an ongoing self-inspection\nprogram that includes a periodic review and assessment of the facility\xe2\x80\x99s classified\nproducts, in accordance with DoD Regulation 5200.1, Chapter 1,\nSection C1.2.3.4.?\n\nIs there a coordination process in place for host, tenant, and visiting security\nmanagers?\n\nAre policies and procedures in place for sponsoring conferences, seminars,\nsymposia, exhibits, or conventions at which classified information is disclosed\nand which is conducted by a DoD Component, by a cleared DoD contractor, or by\nan association, institute, or society whose membership consists of contractors,\ncontractor employees, or DoD personnel, in accordance with\nDoD Regulation 5220.22, Chapter 1, Section C1.4.?\n\nInformation Assurance\n\nDoes the organization have an assigned Designated Approving Authority for its\ninformation systems, in accordance with DoD Directive 8500.1,\nParagraphs 4.14.3 and 4.25?\n\nHas the organization designated, in writing, all information assurance-related\npositions (e.g., information assurance manager, information assurance officers,\nand privileged users), in accordance with DoD Instruction 8500.2, Section 5.8?\n\nAre procedures in place for the Information Assurance Officer to properly report\ninformation assurance incidents to the Designated Approving Authority and the\nDoD reporting chain, as required?\n\nAre procedures in place for the information assurance manager and the\ninformation assurance officer to implement protective measures or\n\n\n                                      5\n\x0ccountermeasures in response to an information assurance incident or\nvulnerability?\n\nIs information assurance-related documentation for DoD information systems\ncurrent and accessible to properly authorized individuals?\n\nHave information systems been categorized as automated information systems\napplications, enclaves (which include networks), outsourced information\ntechnology-based processes, or platform information technology connections, in\naccordance with DoD Directive 8500.1, Paragraph 4.2?\n\nHave information systems been assigned a mission assurance category and a\nconfidentiality level based on the classification or sensitivity of the information\nprocessed, in accordance with DoD Instruction 8500.2, Enclosure 4,\nParagraph E4.1.9.?\n\nAre applicable information assurance controls in place for the appropriate mission\nassurance category and information system confidentiality levels, in accordance\nwith DoD Instruction 8500.2, Enclosure 4 and its attachments?\n\nHave Information Technology Position Categories been designated for personnel\noccupying information systems positions performing on unclassified information\nsystems, in accordance with DoD Instruction 8500.2, Enclosure 2,\nParagraph E2.1.36, and DoD Regulation 5200.2?\n\nDo information assurance managers, information assurance officers, and\nprivileged users hold appropriate U.S. Government security clearances\ncommensurate with the level of information processed by the facility\xe2\x80\x99s\ninformation systems or enclaves?\n\nDo privileged-user personnel with management access to unclassified information\nsystems have the appropriate background investigation, in accordance with\nDoD Instruction 8500.2, Enclosure 3, Table E3.T1?\n\nAre personnel granted access to DoD information systems only on a need-to-\nknow basis, in accordance with DoD Directive 8500.1, Paragraph 4.8 and\nDoD Instruction 8500.2, Paragraph 5.7.11?\n\nIs foreign national access to information available on information systems\ncontrolled, in accordance with DoD Directive 5230.20, DoD Directive 8500.1,\nand DoD Instruction 8500.2?\n\nAre all DoD information systems certified and accredited, in accordance with\nDoD Directive 8500.1 and DoD Instructions 8500.2 and 5200.40?\n\nDoes the facility have processes in place for reviewing and evaluating the content\nof all its associated Internet sites to determine whether they comply with DoD\nWeb-site Administration and Procedures, November 25, 1998, and updates?\n\n\n\n\n                                      6\n\x0cIs the Information Assurance Vulnerability Alert program managed in accordance\nwith Deputy Secretary of Defense memorandum, \xe2\x80\x9cDoD Information Assurance\nVulnerability Alert,\xe2\x80\x9d December 30, 1999?\n\nIs information assurance awareness training provided to all personnel with access\nto DoD information systems, in accordance with DoD Instruction 8500.2,\nSection 5.7.7.?\n\nOperations Security\n\nHas an operations security program been established, in accordance with National\nSecurity Decision Directive 298 and DoD Directive 5205.2, Paragraph 5.2.?\n\nAre the operations security plans and programs reviewed and validated annually,\nin accordance with DoD Directive 5205.2, Paragraph 5.2.1.4.?\n\nIs there an operations security education and awareness training program and does\nit comply with DoD Directive 5205.2, Paragraph 5.2.1.3.?\n\nIndustrial Security\n\nDoes the contractor have a designated security officer?\n\nWere operations security requirements and security clauses included in contracts,\nwhen applicable, in accordance with DoD Directive 5205.2, Paragraph 5.2.4.?\n\nAre policies and procedures in place for sponsoring conferences, seminars,\nsymposia, exhibits, or conventions at which classified information is disclosed\nand which is conducted by a DoD Component, by a cleared DoD contractor, or by\nan association, institute, or society whose membership consists of contractors,\ncontractor employees, or DoD personnel, in accordance with\nDoD Regulation 5220.22, Chapter 1, Section C1.4.?\n\nDoes the Component issue any classified contracts to facilities that are under\nforeign ownership, control, or influence? If so, how many? Does each facility\nthat is under significant foreign ownership, control, or influence have a security\nclearance verification letter issued by the Defense Security Service that reflects\nthe vehicle (Special Security Agreement, Proxy Agreement, Voting Trust\nAgreement) put in place to mitigate/negate the facility\xe2\x80\x99s significant foreign\nownership, control, or influence, in accordance with DoD Manual 5220.22,\n\xe2\x80\x9cNational Industrial Security Program Operating Manual,\xe2\x80\x9d Chapter 2, Section 3?\n\nIf the Component issued classified contracts to facilities under significant foreign\nownership, control, or influence, has the Component contacted the applicable\nDefense Security Service office to determine how the foreign owned, controlled,\nor influenced mitigation/negation vehicle is working, in accordance with\nDoD Manual 5220.22, Chapter 2, Section 3?\n\nDoes the organization use DD Form 254, \xe2\x80\x9cDoD Contract Security Classification\nSpecification\xe2\x80\x9d and the guidance contained in DoD Regulation 5220.22,\n\n\n\n                                      7\n\x0cAppendix 4, when considering and applying classifications to a particular plan,\nprogram, project or study?\n\nHas the organization outlined the industrial security functional responsibilities of\ncontracting officers commensurate with those outlined in\nDoD Regulation 5220.22, Appendix 3?\n\nDoes the organization conduct analysis and take precautions before it authorizes\ncontractors to release unclassified economic and technical information in press\nreleases, advertisements, notices to stockholders, and annual or quarterly reports\nthat could contribute to an accurate appraisal of the strategic intentions of the\nUnited States, in accordance with DoD Regulation 5220.22, Appendix 1?\n\nAre security policies and procedures in place for contractor visits to the activities,\nin accordance with DoD Regulation 5220.22, Chapter 3?\n\nAre procedures in place to conduct administrative inquiries, investigations, and\nother administrative actions in connection with reports of sabotage, espionage,\nand subversive activities, and the loss, compromise, suspected compromise, or\nsecurity violations involving the United States and foreign classified information\nestablished as outlined in DoD Regulation 5200.1, Chapter 10 and\nDoD Regulation 5220.22, Chapter 5?\n\nAre procedures in place for coordinating with the Defense Security Service on\nsecurity issues (e.g., security violations, visit control, and security education)\ninvolving cleared contractor personnel or facilities?\n\nHas the organization prescribed the requirements and established the procedures\nto identify the classification of information turned over to contractors? Has the\norganization outlined the responsibility for issuing instructions for disposing of\nclassified information on final delivery of goods or services or on termination of a\nclassified contract? Has the organization also identified other security\nrequirements for prime contracts and subcontracts, in accordance with\nDoD Regulation 5220.22, Chapter 7?\n\nSecurity Education\n\nHas an employee security education program been established, evaluated, and\nmaintained, in accordance with DoD Regulation 5200.1, Chapter 9?\n\nAre employees aware of their security responsibilities, in accordance with\nDoD Regulation 5200.1, Chapter 9 and DoD Regulation 5200.2, Chapter 9,\nSection C9.2.?\n\nHas the organization developed a foreign travel briefing for personnel with access\nto classified information to alert them to possible exploitation by foreign\nintelligence services, in accordance with DoD Regulation 5200.2, Chapter 9,\nSections C9.1.4. and C9.2.4.?\n\nHas an operations security education and awareness training program been\nestablished, in accordance with DoD Directive 5205.2, Paragraph 5.2.1.3.?\n\n\n                                      8\n\x0cDoes the security education program address the need to protect classified\ninformation and hardware and any other information or hardware that is\nconsidered sensitive by the organization?\n\nHas the organization addressed the educational aspects and training requirements\nof the DoD Component\xe2\x80\x99s applicable regulations or DoD Regulation 5220.22,\nChapter 6?\n\nHas the organization developed a program to periodically brief personnel on the\nthreats posed by foreign intelligence, foreign commercial enterprises, terrorists,\ncomputer intruders, and unauthorized disclosure, in accordance with\nDoD Instruction 5240.6, Paragraph 4.2 and 6.1?\n\nHas the organization, where appropriate, developed training for implementing\nacquisition program protection and managing risk referred to in\nDoD Directive 5200.39, Paragraph 4.7, and DoD Manual 5200.1, Section C2.9.?\n\nIs the security training program adequate to prepare the designated officer to\noversee the activity\xe2\x80\x99s Information Security Program?\n\n\n\n\n                                     9\n\x0cResearch and Technology Protection\n\n     Counterintelligence Support for Facilities\n\n     Has critical program information been identified for the counterintelligence\n     support plan?\n\n     Does the facility have an approved counterintelligence support plan?\n\n     Are agreed-upon counterintelligence support activities in the counterintelligence\n     support plan being accomplished?\n\n     Are full-time, dedicated, counterintelligence specialists from DoD Components\n     assigned to provide research and technology protection? If not, what type of\n     service is provided? Is this adequate?\n\n     Does the facility or its programs have a current Multidiscipline\n     Counterintelligence Threat Assessment?\n\n     Are the Program Managers or key acquisition program personnel, or both,\n     receiving threat reports, threat estimates, and other threat analysis products on\n     research and technology protection from DoD Component counterintelligence\n     agencies on a recurring basis?\n\n     Are security, management, and acquisition program personnel kept current about\n     local matters of counterintelligence interest?\n\n     Security and Counterintelligence Support for Acquisition Systems\n\n     Deputy Secretary of Defense memorandum, \xe2\x80\x9cCancellation of DoD 5000 Defense\n     Acquisition Policy Documents,\xe2\x80\x9d October 30, 2002, replaced\n     DoD Directive 5000.1, DoD Instruction 5000.2, and DoD Regulation 5000.2 with\n     the Interim Defense Acquisition Guidebook, October 17, 2004.\n\n     Has the organization identified its critical program information in accordance with\n     DoD Directive 5200.39, Paragraph 4.1. and the Interim Defense Acquisition\n     Guidebook, Chapter 8?\n\n     Have programs with critical program information completed the following tasks,\n     in accordance with DoD Directive 5200.39:\n\n        \xe2\x80\xa2   Identified program goals and objectives to the supporting security,\n            counterintelligence, and intelligence organizations (Paragraph 4.2.)?\n\n        \xe2\x80\xa2   Identified system vulnerabilities (Paragraph 4.2.)?\n\n        \xe2\x80\xa2   Performed risk management evaluations for cost-effective measures\n            (Paragraph 4.2.)?\n\n\n\n\n                                          10\n\x0c   \xe2\x80\xa2   Developed a program protection plan as described in DoD Manual 5200.1\n       (Chapters 2 and 3) and the Interim Defense Acquisition Guidebook,\n       approved by the program manager, and reviewed by the milestone\n       decision authority?\n\n   \xe2\x80\xa2   Reported incidents of loss, compromise, or theft of identified critical\n       program information in accordance with procedures in\n       DoD Instruction 5240.4 and DoD Regulation 5200.1, Chapter 10?\n\nDoes the organization or acquisition program manager provide tailored\ncounterintelligence support to acquisition programs with critical program\ninformation throughout their life cycles in accordance with\nDoD Directive 5200.39 and the Interim Defense Acquisition Guidebook,\nChapter 8?\n\nDoes the program protection plan for each acquisition program with critical\nprogram information include an approved counterintelligence support plan?\n\nIs the life-cycle counterintelligence support that is documented in the\ncounterintelligence support plan being provided to protect critical program\ninformation?\n\nDoes the counterintelligence support plan include all required annexes for each\nfacility where there is critical program information?\n\nIs a DoD counterintelligence agency providing agreed-upon counterintelligence\nsupport as stated in the counterintelligence support plan?\n\nHave the countermeasures identified in the program protection plan been\nemployed in accordance with DoD Manual 5200.1, Section C3.9? Do the\nprogram manager and the program manager\xe2\x80\x99s staff know the results of the\nemployment of the countermeasures?\n\nDid the program manager request a multidiscipline counterintelligence threat\nassessment for programs having critical program information, in accordance with\nDoD Manual 5200.1, Section C3.8.? If so, did a DoD Component\ncounterintelligence agency provide the assessment? How current is the\ndocument?\n\nIs the program manager receiving foreign intelligence, and other related threats to\nacquisition programs with critical program information, from DoD\ncounterintelligence and other agencies. Has the program manager received\nupdated threat and other counterintelligence information from the point of contact\nof each program with critical program information throughout the life cycle of the\nprogram, in accordance with the Interim Defense Acquisition Guidebook,\nChapter 8?\n\nDid the program manager document and implement anti-tamper measures for\nprograms or systems with critical program information, in accordance with the\nInterim Defense Acquisition Guidebook, Chapter 8?\n\n\n\n                                    11\n\x0cIf the program manager determines that there is no critical program information\nassociated with the program (neither integral to the program nor inherited from a\nsupporting program), a program protection plan is not required. Has the program\nmanager made this determination in writing for review by the milestone decision\nauthority, in accordance with DoD Directive 5200.39, Section 4.3.3.?\n\nIs controlled unclassified information about programs, technologies, or systems\nidentified, controlled, and protected from unauthorized disclosure, in accordance\nwith DoD Regulation 5200.1, Appendix 3?\n\nHas an integrated process team been established to develop program-specific\nprotection plans and to coordinate security, counterintelligence, and intelligence\nissues as outlined in DoD Directive 5200.39, Section 4.5., and described in\nDoD Manual 5200.1, Section C3.2.?\n\nIs basic DoD acquisition indoctrination and/or unique business training available\nfor responsible security and counterintelligence personnel? Have they received\nthat training?\n\n\n\n\n                                     12\n\x0cCounterintelligence\n\n     Counterintelligence\n\n     Are records of incidents and reported information maintained by the organization,\n     in accordance with DoD Instruction 5240.6, Paragraphs 4.1. and 6.2.?\n\n     If the organization is a DoD Component that does not have a counterintelligence\n     capability, as highlighted in the Lead Agency assignment list in\n     DoD Instruction 5240.10, Enclosures 4 and 5, does the Component and its\n     supporting counterintelligence office have a signed counterintelligence support\n     agreement, in accordance with DoD Instruction 5240.10, Paragraph 5.5.7.1.?\n\n     Have all counterintelligence field personnel providing research and technology\n     protection support received or scheduled required specialized training on how to\n     perform this mission? If not, does the organization have a plan to train all\n     personnel who require the specialized training?\n\n     Are dedicated, full-time counterintelligence specialists assigned to research and\n     technology protection duties at major research, development, test, and evaluation\n     sites?\n\n     Does the unit/program/activity need technical surveillance countermeasures\n     support? If so, was the support provided and was it timely?\n\n     Has the counterintelligence and security program been assessed (once that\n     program has been started)? When was the last assessment?\n\n     If you need or receive counterintelligence support, on a scale of 1 to 10, with 1\n     being the lowest and 10 being the highest, how would you rate the quality of the\n     support you receive from your local counterintelligence office? Please explain.\n\n\n\n\n                                         13\n\x0cInternational Security\n\n     Disclosure of Classified Military Information to Foreign Governments\n\n     Has the organization designated a disclosure authority, in accordance with\n     DoD Directive 5230.11, Paragraphs 4.1. and 5.2.?\n\n     Is the designated disclosure authority familiar with the National Disclosure\n     Policy-1, \xe2\x80\x9cNational Policy and Procedures for the Disclosure of Classified\n     Military Information to Foreign Governments and International Organizations,\xe2\x80\x9d\n     and DoD Directive 5230.11?\n\n     When classified military information was disclosed to foreign governments in\n     support of a lawful and authorized U.S. Government purpose by individuals who\n     were specifically delegated disclosure authority:\n\n        \xe2\x80\xa2   Were the disclosures made, in accordance with National Disclosure\n            Policy-1 and DoD Directive 5230.11?\n\n        \xe2\x80\xa2   Did the designated disclosure authorities receive security assurance on the\n            individuals who were to receive the information, in accordance with\n            DoD Directive 5230.11, Paragraph 4.4. and DoD Regulation 5200.1?\n\n        \xe2\x80\xa2   Did the designated disclosure authority authorize, in advance, proposals to\n            be made to foreign governments that could lead to the eventual disclosure\n            of classified military material, technology or information, in accordance\n            with DoD Directive 5230.11, Paragraph 4.5.?\n\n        \xe2\x80\xa2   Were disclosures and denials of classified military information reported in\n            the Foreign Disclosure and Technical Information System, in accordance\n            with DoD Instruction 5230.18 and DoD Directive 5230.11?\n\n     Does the organization have procedures in place to preclude unauthorized access to\n     controlled unclassified information and classified information by foreign visitors\n     or their assignees, in accordance with DoD Directive 5230.20 and\n     DoD Regulation 5200.1?\n\n     Did participation of foreign nationals or government representatives in classified\n     meetings and conferences at the facility comply with the requirements of\n     DoD Directive 5230.20 and DoD Directive 5230.11; that is, was assurance\n     obtained in writing from the responsible Government foreign disclosure office(s)\n     that the information to be presented was cleared for foreign disclosure?\n\n     Do the organization\xe2\x80\x99s procedures for releasing and transmitting classified\n     information to foreign governments comply with the requirements of\n     DoD Regulation 5200.1, Chapter 7 and Appendix 8?\n\n\n\n\n                                         14\n\x0cForeign Visits, Assignments, Exchanges and Travel\n\nIs an automated capability or a visitor log maintained to track and document\nforeign visitor access at sensitive facilities?\n\nIs confirmation of automated information on foreign visitors provided to the\nCounterintelligence Field Activity?\n\nAre counterintelligence personnel reviewing the foreign visits system database for\ntrends or data to be extracted for analysis?\n\nAre commanders informed of how many foreign visitors are received, the reason\nfor their visit, when they arrive, how long they stay, and what they are doing?\n\nDo employees receive a security briefing before they visit foreign research\nfacilities or attend foreign professional conferences?\n\nDo counterintelligence personnel interview employees after employees return\nfrom travel to foreign laboratories or professional conferences?\n\nDoes any counterintelligence entity advise sponsoring organization personnel\nabout the possible implications of their sponsorship of individual foreign visitors\nto the organization before and after visits?\n\nDo procedures for approving each short- or long-term foreign visit differ for\nclassified information and unclassified information?\n\nAre reporting procedures in place to encourage employees to report suspicious\ncontacts with foreign visitors to the security manager or a counterintelligence\nofficial?\n\nDoes the security manager or a counterintelligence official brief employees before\nand after foreign visits to the facility?\n\nDoes a counterintelligence entity report the results of foreign travel interviews\nand other anomalous incidents regarding laboratory employees\xe2\x80\x99contact with\nforeign visitors?\n\nIs the facility in compliance with the visitor control and processing requirements,\nas stated in DoD Directive 5230.20? Is an appropriate international agreement in\nplace to cover the visit or assignment of foreign personnel for more than 30 days?\n\nDo counterintelligence personnel conduct name checks on foreign visitors and\nreport the results to the appropriate facility personnel?\n\nAre security procedures in place for foreign nationals at the facility? If so, what\nare they?\n\n   \xe2\x80\xa2   Are access controls in place for automated information systems?\n\n   \xe2\x80\xa2   Do e-mail addresses clearly identify foreign nationals?\n\n\n                                     15\n\x0c   \xe2\x80\xa2   Do badges identify the bearer as a foreign national?\n\nHas a point of contact been designated to control the activities of foreign visitors,\ncooperative program personnel, foreign liaison officers, and exchange personnel?\n\nIs a designated official reviewing the organization\xe2\x80\x99s compliance with\nDoD Directive 5230.11, applicable DoD Component guidelines for the release of\nclassified and controlled unclassified information, and the specific disclosure\nguidelines established in the pertinent Delegation of Disclosure Authority Letter,\nin accordance with DoD Directive 5230.20?\n\nAre all foreign nationals who are authorized unescorted access to DoD facilities\nissued with badges or passes that clearly identify them as foreign nationals, in\naccordance with DoD Directive 5230.20, Paragraph 4.12.?\n\nAre procedures in place for releasing and transmitting controlled unclassified\ninformation, such as information subject to export controls, in accordance with\nDoD Regulation 5200.1, Appendix 3, and DoD Directive 5230.20,\nParagraph 4.10.?\n\nHas the organization coordinated with the Defense Security Service and\nappropriate DoD Components on the assignment of foreign liaison officers or\nextended visitors performing on a classified contract at a DoD-cleared contractor\nfacility, in accordance with DoD Directive 5230.20?\n\nArms Control\n\nDo facility security plans, policies, and procedures appropriately consider arms\ncontrol agreements if the facility or program is involved in implementing arms\ncontrol, in accordance with DoD Directive 5205.10, Paragraph 4.2?\n\n\n\n\n                                     16\n\x0cAppendix A. Scope and Methodology\n   The DoD Inspectors General or officials responsible for providing oversight to\n   research, development, test, and evaluation facilities should use the guidelines to\n   assess how DoD implements policy for research and technology protection,\n   security, and counterintelligence. We updated each reference from the 2003\n   inspection guidelines, then coordinated the revised guidelines with DoD\n   Inspectors General or officials responsible for providing oversight to research,\n   development, test, and evaluation facilities to ensure the currency of the\n   guidelines.\n\n   Our scope was limited in that we did not include tests of management controls or\n   validate the information or results reported in summarized reports. However,\n   DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n   and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n   August 28, 1996, require DoD organizations to implement a comprehensive\n   system of management controls that provides reasonable assurance that programs\n   are operating as intended and that evaluating the adequacy of management\n   controls should be an integral aspect of the inspection program.\n\n\n\n\n                                        17\n\x0cAppendix B. References\n   National Security Decision Directive 298, \xe2\x80\x9cNational Operations Security\n   Program,\xe2\x80\x9d January 22, 1998. http://www.fas.org/irp/offdocs/nsdd298.htm\n\n   National Disclosure Policy-1, \xe2\x80\x9cNational Policy and Procedures for the Disclosure\n   of Classified Military Information to Foreign Governments and International\n   Organizations.\xe2\x80\x9d (Classified)\n\n   Department of Defense Directive 2000.12, \xe2\x80\x9cDoD Antiterrorism (AT) Program,\xe2\x80\x9d\n   August 18, 2003. http://www.dtic.mil/whs/directives/corres/html/200012.htm\n\n   Department of Defense Directive 5200.2, \xe2\x80\x9cDoD Personnel Security Program,\xe2\x80\x9d\n   April 9, 1999. http://www.dtic.mil/whs/directives/corres/html/52002.htm\n   Department of Defense Directive 5200.39, \xe2\x80\x9cSecurity, Intelligence, and\n   Counterintelligence Support to Acquisition Program Protection,\n   \xe2\x80\x9cSeptember 10, 1997. http://www.dtic.mil/whs/directives/corres/html/520039.htm\n\n   Department of Defense Directive 5205.2, \xe2\x80\x9cDoD Operations Security (OPSEC)\n   Program,\xe2\x80\x9d November 29, 1999.\n   http://www.dtic.mil/whs/directives/corres/html/52052.htm\n\n   Department of Defense Directive 5205.10, \xe2\x80\x9cDepartment of Defense Treaty\n   Inspection Readiness Program (DTIRP),\xe2\x80\x9d December 5, 2000.\n   http://www.dtic.mil/whs/directives/corres/html/520510.htm\n\n   Department of Defense Directive 5230.11, \xe2\x80\x9cDisclosure of Classified Military\n   Information to Foreign Governments and International Organizations,\xe2\x80\x9d\n   June 16, 1992. http://www.dtic.mil/whs/directives/corres/html/523011.htm\n   Department of Defense Directive 5230.20, \xe2\x80\x9cVisits and Assignments of Foreign\n   Nationals,\xe2\x80\x9d June 22, 2005.\n   http://www.dtic.mil/whs/directives/corres/html/523020.htm\n\n   Department of Defense Directive 8500.1, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9d\n   October 24, 2002.\n   http://www.dtic.mil/whs/directives/corres/pdf/d85001_102402/d85001p.pdf\n\n   Department of Defense Instruction 5230.18, \xe2\x80\x9cDoD Foreign Disclosure and\n   Technical Information System (FORDTIS),\xe2\x80\x9d November 6, 1984.\n   http://www.dtic.mil/whs/directives/corres/html/523018.htm\n\n   Department of Defense Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\n   Security Certification and Accreditation (C&A) Process (DITSCAP),\xe2\x80\x9d\n   December 30, 1997.\n   http://www.dtic.mil/whs/directives/corres/pdf/i520040_123097/i520040p.pdf\n\n\n\n\n                                      18\n\x0cDepartment of Defense Instruction 5240.4, \xe2\x80\x9cReporting of Counterintelligence and\nCriminal Violations,\xe2\x80\x9d September 22, 1992.\nhttp://www.dtic.mil/whs/directives/corres/html/52404.htm\n\nDepartment of Defense Instruction 5240.10, \xe2\x80\x9cCounterintelligence Support to the\nCombatant Commands and the Defense Agencies,\xe2\x80\x9d May 14, 2004.\nhttp://www.dtic.mil/whs/directives/corres/html/524010.htm\n\nDepartment of Defense Instruction 5240.6, \xe2\x80\x9cCounterintelligence (CI) Awareness,\nBriefing, and Reporting Programs,\xe2\x80\x9d August 7, 2004.\nhttp://www.dtic.mil/whs/directives/corres/html/52406.htm\n\nDepartment of Defense Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d February 6, 2003.\nhttp://www.dtic.mil/whs/directives/corres/pdf/i85002_020603/i85002p.pdf\n\nDepartment of Defense Manual 5200.1, \xe2\x80\x9cAcquisition Systems Protection\nProgram,\xe2\x80\x9d March 1994.\nhttp://www.dtic.mil/whs/directives/corres/pdf/52001m_0394/p52001m.pdf\n\nDepartment of Defense Manual 5220.22, \xe2\x80\x9cNational Industrial Security Program\nOperating Manual,\xe2\x80\x9d (NISPOM) January 1995, Including July 1997 and\nFebruary 2001 changes to NISPOM.\nhttp://www.dtic.mil/whs/directives/corres/html/522022m.htm\nNISPOM Supplement:\nhttp://www.dtic.mil/whs/directives/corres/html/522022ms.htm\n\nInterim Defense Acquisition Guidebook, October 17,2004.\nhttp://akss.dau.mil/dag/DoD5000.asp\n\nDepartment of Defense Regulation 5200.1, \xe2\x80\x9cInformation Security Program,\xe2\x80\x9d\nJanuary 1997. http://www.dtic.mil/whs/directives/corres/html/52001r.htm\nDepartment of Defense Regulation 5200.2, \xe2\x80\x9cPersonnel Security Program,\xe2\x80\x9d\n(change 3), February 23, 1996.\nhttp://www.dtic.mil/whs/directives/corres/html/52002r.htm\nDepartment of Defense Regulation 5200.8, \xe2\x80\x9cPhysical Security Program.\xe2\x80\x9d\nMay 1991. http://www.dtic.mil/whs/directives/corres/html/52008r.htm\n\nDepartment of Defense Regulation 5220.22, \xe2\x80\x9cIndustrial Security Regulation,\xe2\x80\x9d\nDecember 1985. http://www.dtic.mil/whs/directives/corres/html/522022r.htm\n\nDoD Information Assurance Vulnerability Alert (IAVA) Program,\nDecember 30, 1999. http://iase.disa.mil/policy.html\n\nDoD Web-Site Administration Policies & Procedures, November 25, 1998.\nhttp://www.defenselink.mil/webmasters/policy/dod_web_policy_12071998_with_\namendments_and_corrections.html\n\n\n\n\n                                   19\n\x0cDoD Pamphlet 5200.1, \xe2\x80\x9cDoD Guide to Marking Classified Documents,\xe2\x80\x9d\nApril 1997. http://www.dtic.mil/whs/directives/corres/html/52001ph.htm\n\n\n\n\n                                  20\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Intelligence\nUnder Secretary of Defense for Acquisition, Technology and Logistics\nDeputy Under Secretary of Defense (Laboratories and Basic Sciences)\n\nDepartment of the Army\nAuditor General, Department of the Army\nInspector General, Department of the Army\n\nDepartment of the Navy\nAuditor General, Department of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\nInspector General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Test Resource Management Center\nDirector, Program Integration, Internal Management Review, Missile Defense Agency\n\n\n\n\n                                            21\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for\nIntelligence, prepared this report. Personnel of the Department of Defense Office\nof Inspector General who contributed to the report are listed below.\n\nShelton R. Young\nDonald A. Ragley\nDavid Ingram\nJacqueline Pugh\n\n\n\n\n                                   22\n\x0c'